Want to Beat Social Engineering? Training Is Key
Social engineering is an insidious – and highly successful – method of data theft. Training users to spot it is the key to beating it.
By Jason Riddle, LBMC Managed Security Services
Of all the misunderstandings out there about hacking and network security, one of the biggest may be that network intrusion and data theft are purely a matter of technical ability: clever code and malicious software slicing through a company’s technical defenses. This can happen – but much more common are social engineering attacks, exploits that focus more on human vulnerabilities than technical weaknesses.
Those "human exploits" take a number of forms, including phone calls to customer service impersonating a user to obtain private information and sophisticated email-based spoofs that insert attackers right in the middle of sensitive business conversations.
To stop social engineering attacks, you have to do more than keep pace with the latest technological innovations. You have to take a thoughtful, holistic approach to your security strategy. We’ve collected some key tips to help you do just that.
Make Training a Priority (for Everyone)
Today, security training has to be a priority for everyone – not just the security team. And it’s about much more than not leaving passwords lying around.
Make sure your team is aware of the full range of social engineering strategies out there, particularly the ones most relevant to their roles. If an individual’s job is public-facing, they should know about common impersonation tactics. You should establish clear and strict procedures dictating what information may be provided to whom and under what circumstances. And you need to make certain that your employees understand how important it is to follow these procedures without exception.
Your staff members have another security role to play, too. Many early red flags of network intrusion first make themselves known to your employees, often as seemingly minor complaints about the network. A slow connection, a password that suddenly doesn’t work – these can be important indicators that something more serious is amiss.
If your employees experience these irregularities, they need to make it a policy to report immediately to your IT security specialists. Rapid response to early signals like these can spell the difference between a successful data theft and a pre-empted attack. Train your team to be an integral part of your organization’s security efforts.
Social Engineering in Email
One important area of concern is email. Scammers are sometimes able to insinuate themselves into email conversations between business partners through a technique known as "man-in-the-email."
Sometimes this social engineering strategy spoofs an email thread between two of a company’s executives discussing and then authorizing a transaction. The spoofed email is forwarded to someone at the business who is responsible for transferring funds. If the spoof successfully emulates the executives and creates a sense of urgency, this may prompt the individual to quickly send funds to an unknown bank account – which is of course owned by the bad guys.
In another iteration, the scammers target two companies, generally organizations already doing business with one another, spoofing both sides in order to start a conversation – then invisibly facilitating and editing the dialogue to suit their goals. At an opportune moment, perhaps after a planned transaction, the attacker (pretending to be Company A) tells Company B that they’ve recently changed their bank account.
These are common – and commonly successful – social engineering attacks. So how can you defend against them?
First, pay close attention to email addresses. Spoofers can often acquire a domain name that is close to yours. They might use a .co extension instead of .com, a zero in place of an "o" or a slight misspelling. They also might use a lowercase L in place of an uppercase i or a numeral one.
To minimize the chances of this spoof strategy, you can buy any obviously opportune domain variants. You should also avoid free webmail like Gmail and Yahoo, which is much easier to spoof.
To be more comprehensive in your security efforts, you can make a policy of forwarding instead of replying in email chains, always entering your recipient’s email manually to ensure it’s correct. This might slow you down by a few seconds, but it’s a more secure process. No matter what, you should delete all obvious spam emails immediately, without opening them, downloading any attachments, clicking on any links or replying.
Two more steps you can take are more about your business policy than your email technique. Use a minimum of two forms of communication with major business partners, verifying any major changes through a second mode of communication. Don’t move forward on significant transfers of data or funds based only on email.
By taking a thoughtful approach to network security that encompasses all of your staff and your broader communication strategies, you’ll have a strong framework for effective security. With this foundation in place, your business should be less susceptible to social engineering attack.
Jason Riddle is practice leader at LBMC Managed Security Services where he helps defend his clients’ networks. He has more than 15 years of experience working both as a consultant, advising commercial and government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security and compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.